I am curious if other sites have had similar false SYN attacks (this one was reported by BBN and SI.NET to us). Here is the report from the offending site: ------------------------------------------------- As a result of a potential SYN attack that was reported to us and that may have originated from NCC, NCC has held an inquiry with a team lead by myself and including the NC VP for technology, and the NCC Ssytem Administrator and security officer. The Inquiry has found the following facts: NCC Internet connection for all NCC employess relys on a Microsoft Proxy Server code named CataPult (Beta Release) Which runs on an NT machine. It was only installed at NCC several days ago. The product has what it defines as a smart cache which decides itself to go fetch via HTTP updates of information on the Internet according to URL addresses it finds in its cache (which are more likely to be visited once again). This in theory provides improved performance for users browsing the Internet. The default update frequency value in this Beta release was set by Microsoft to be way too low ( a matter of seconds).Once a certain site in the cache is too busy and the Proxy Server fails to make the connection (like in this case when www.wellsfargo.com failed with cause 10060 connection timeout), the Proxy tries again. It is easy to distinguish on the log between a connection request made by a uset via a connection attempt made by CataPult Proxy Server. We are attaching two files which are the log that shows all activity on Oct 24th (file a.a) and all specific connection attampts to wells fargo(file b.b). We did chnage the timoout for this retry attempt to be much higher than the 1 minute value that was configured by default by Microsoft. -------------------------------------------------------------- Have other sites been using Catapault and seeing this problem? Hank
participants (1)
-
Hank Nussbacher